Kimsuky AI-assisted phishing campaign using deepfake South Korean military IDs
Campaign
Summary
Hide ▲
Show ▼
North Korea-linked Kimsuky began using ChatGPT and other AI services to generate fake identities and make phishing lures more convincing. In the latest phishing campaign, the group used deepfakes of South Korean military identification documents to entice recipients to click a link and open a file. The operation targeted journalists, researchers, human-rights activists, and a defense-related institution. The tactic matters because AI-generated impersonation can raise engagement and help disguise malicious execution.
Related Happenings
APT28 long-term espionage campaign targeting Ukrainian military personnel
Campaign
First: 10.03.2026 12:55
Last: 10.03.2026 12:55
Sources 1
About this happening:
A **sustained APT28 espionage campaign** is using **BEARDSHELL** and **COVENANT** to surveil **Ukrainian military personnel**, extending access through **cloud-based C2** and incr...
APT28 long-term espionage campaign targeting Ukrainian military personnel
CampaignAbout this happening: A **sustained APT28 espionage campaign** is using **BEARDSHELL** and **COVENANT** to surveil **Ukrainian military personnel**, extending access through **cloud-based C2** and incr...
APT28 credential-harvesting campaign against energy and regional targets
Campaign
First: 09.01.2026 17:28
Last: 09.01.2026 17:28
Sources 1
About this happening:
**APT28 (BlueDelta)** ran a **credential-harvesting campaign** that targeted a **Turkish energy and nuclear research agency**, a **European think tank**, and organizations in **No...
APT28 credential-harvesting campaign against energy and regional targets
CampaignAbout this happening: **APT28 (BlueDelta)** ran a **credential-harvesting campaign** that targeted a **Turkish energy and nuclear research agency**, a **European think tank**, and organizations in **No...
Kimsuky QR-code spear-phishing campaign against think tanks and government entities
Campaign
First: 09.01.2026 07:46
Last: 09.01.2026 07:46
Sources 1
About this happening:
The **FBI** warned that **Kimsuky (APT43)** is running a **QR-code spear-phishing campaign** that targets **think tanks, academic institutions, and U.S. and foreign government ent...
Kimsuky QR-code spear-phishing campaign against think tanks and government entities
CampaignAbout this happening: The **FBI** warned that **Kimsuky (APT43)** is running a **QR-code spear-phishing campaign** that targets **think tanks, academic institutions, and U.S. and foreign government ent...
South Korea-based counselor who specializes in psychological support hit by account takeover attack
Incident
First: 11.11.2025 02:46
Last: 11.11.2025 02:46
Sources 1
About this happening:
The **KakaoTalk account** of a **South Korea-based counselor** was **compromised** on **September 5**, allowing an attacker to send a **malicious file** to an **actual defector st...
South Korea-based counselor who specializes in psychological support hit by account takeover attack
IncidentAbout this happening: The **KakaoTalk account** of a **South Korea-based counselor** was **compromised** on **September 5**, allowing an attacker to send a **malicious file** to an **actual defector st...
UTA0388 spear-phishing campaign delivering GOVERSHELL
Campaign
First: 09.10.2025 20:19
Last: 09.10.2025 20:19
Sources 1
About this happening:
A **China-aligned** actor, **UTA0388**, is running a **spear-phishing campaign** across **North America, Asia, and Europe** to deliver the **GOVERSHELL** implant. The operation ma...
UTA0388 spear-phishing campaign delivering GOVERSHELL
CampaignAbout this happening: A **China-aligned** actor, **UTA0388**, is running a **spear-phishing campaign** across **North America, Asia, and Europe** to deliver the **GOVERSHELL** implant. The operation ma...
Timeline
-
17.09.2025 03:00 2 articles · 8mo ago
Kimsuky uses AI-generated military ID lures
Initial DisclosureNorth Korea-linked Kimsuky used ChatGPT and other AI services to generate fake identities, including deepfakes of South Korean military identification documents, to make phishing lures more convincing and to obscure code execution. The lure targeted journalists, researchers, human-rights activists, and an affected defense-related institution, and victims were directed from a phishing link to a zip archive and then an LNK file.
Show sources
- North Korean Group Targets South With Military ID Deepfakes — www.darkreading.com — 17.09.2025 03:00
- North Korean Group Targets South With Military ID Deepfakes — www.darkreading.com — 17.09.2025 03:00